What’s New in Government Internal Control and Auditing Standards?
Houston Institute of Internal Auditors
2015 Government Auditing Conference
Page 1
Session Objectives
• To discuss GAO’s revision to the Standards for Internal
Control in the Federal Government (Green Book)
• To discuss recent developments to the Government Auditing
Standards (Yellow Book)
• To provide a general overview of the 2011 Yellow Book
Page 2
Standards for Internal Control in the Federal Government
Page 3
Going Green
1983 Present
Green Book Through the Years
Page 4
What’s in Green Book for the Federal Government?
• Reflects federal internal control standards required per
Federal Managers’ Financial Integrity Act (FMFIA)
• Serves as a base for OMB Circular A-123
• Written for government
• Leverages the COSO Framework
• Uses government terms
Page 5
What’s in Green Book for State and Local Governments?
• May be an acceptable framework for internal control on the
state and local government level under proposed OMB
Uniform Guidance for Federal Awards
• Written for government
• Leverages the COSO Framework
• Uses government terms
Page 6
What’s in Green Book for Management and Auditors?
• Provides standards for management
• Provides criteria for auditors
• Can be used in conjunction with other standards, e.g.
Yellow Book
Page 7
Updated COSO Framework
ReleasedMay 14, 2013
Page 8
The COSO Framework
• Relationship of Objectives and Components
• Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives)
• COSO depicts the relationship
in the form of a cube:
• Three objectives: columns
• Five components: rows
• Organizational structure: third dimensionSource: COSO
Page 9
From COSO to Green Book: Harmonization
COSO Green Book
Page 10
Revised Green Book: Standards for Internal Control in the Federal Government
Page 11
Overview
Standards
•Consists of two sections:• Overview• Standards
•Establishes:• Definition of internal control • Categories of objectives• Components and principles of
internal control• Requirements for effectiveness
Standards for Internal Control
Page 12
Revised Green Book: Overview
• Explains fundamental concepts of internal control
• Addresses how components, principles, and attributes relate
to an entity’s objectives
• Discusses management evaluation of internal control
Overview
Standards
Page 13
Fundamental Concepts
• What is internal control in Green Book?• OV1.01 Internal control is a process effected by an entity’s
oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.
• What is an internal control system in Green Book?• OV1.04 An internal control system is a continuous built-in
component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved.
Page 14
Overview: Components, Principles, and Attributes
Achieve Objectives
Components
Principles
Attributes
Overview
Standards
Page 15
Revised Green Book: Principles
Page 16
Components and Principles
Page 17
Component, Principle, Attribute
Page 18
Overview: Principles and Attributes
Overview
Standards
• In general, all components and principles are required for an effective internal control system
• Principles and Attributes:• Entity should implement relevant principles• If a principle is not relevant, document the rationale of how,
in the absence of that principle, the associated component could be designed, implemented, and operated effectively
• Attributes are considerations that can contribute to the design, implementation, and operating effectiveness of principles
Page 19
Overview: Principles and Attributes (cont.)
• OV2.05: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system.
• OV2.07 excerpt: The Green Book contains additional information in the form of attributes. . . Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity.
Page 20
Overview: Management Evaluation
An effective internal control system requires that each of the five components are:
• Effectively designed, implemented, and operating
• Operating together in an integrated manner
Management evaluates the effect of deficiencies on the internal control system
A component is not effective if related principles are not effective
Overview
StandardsOverview
Standards
Page 21
Overview: Additional Considerations
The impact of service organizations on an entity’s internal control system
Discussion of documentation requirements in the Green Book
Applicability to state, local, and quasi-governmental entities as well as not-for-profits
Cost/Benefit and Large/Small Entity Considerations
Overview
StandardsOverview
Standards
Page 22
Revised Green Book: Standards
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
Overview
Standards
Page 23
Revised Green Book: Standards
• Explains principles for each component
• Includes further discussion of considerations for principles in the form of attributes
Overview
Standards
Page 24
Control Environment
Page 25
Risk Assessment
Page 26
Control Activities
Page 27
Information & Communication
Page 28
Monitoring
Page 29
Controls Across Components
Page 30
Other Key Considerations
• Standards vs. Framework
• Documentation Requirements• Overview lists in OV4.08 the documentation requirements
found in the principles which represent the minimum level of documentation necessary for an effective internal control system
Page 31
Documentation Requirements
• Excerpt from OV2.06: If management determines a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively.
Page 32
Documentation Requirements (cont.)
• Control Environment• 3.09: Management develops and maintains documentation
of its internal control system.
• Control Activities• 12.02: Management documents in policies the internal
control responsibilities of the organization.
Page 33
Documentation Requirements (cont.)
• Monitoring• 16.09: Management evaluates and documents the results
of ongoing monitoring and separate evaluations to identify internal control issues.
• 17.05: Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis.
• 17.06: Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis.
Page 34
Accessibility of Green Book
• Comments raised during exposure identified new need:
• How do we make the Green Book more accessible to our user community?
Page 35
The Green Book Layout
• Changed the layout of the Green Book itself to make it more
user friendly:
• Introduced a highlights page
• Facsimile page
• Graphics throughout the overview and standards
Page 36
Highlights Page
Page 37
Facsimile Page
Page 38
Cube as Navigation Aid
Page 39
The Green Book in Action
• Relationship between the Green Book and Yellow Book
Page 40
Green Book and Yellow Book
• Can be used by management to understand requirements
• Can be used by auditors to understand criteria
Page 41
The Yellow Book: Framework for Audits
• Findings are composed of: • Condition (What is)
• Criteria (What should be)
• Cause
• Effect (Result)
• Recommendation (as applicable)
Page 42
Linkage Between Criteria (Yellow Book) and Internal Control (Green Book)
• Green Book provides criteria for the design, implementation, and operating effectiveness of an effective internal control system
Page 43
The Yellow Book: Framework for Audits
• Findings are composed of: • Condition (What is)
• Criteria (What should be)
• Cause
• Effect (Result)
• Recommendation (as applicable)
Page 44
Linkage Between Findings (Yellow Book) and Internal Control (Green Book)
• Findings may have causes that relate to internal control deficiencies
Page 45
Effective Date
• Green Book effective beginning fiscal year 2016 and for the FMFIA reports covering that year
• Management, at its discretion, may elect early adoption of the Green Book
Page 46
Government Auditing Standards
Yellow Book Update
Page 47
Yellow Book Update
• New Interpretation
• Future Plans for Revision
Page 48
New Interpretation: Peer Review Ratings
GAO developed interpretive guidance on assessing and reporting on the results of peer reviews in government environment:
• New report ratings do not change the thresholds for deficiency
reporting
• Matters identified during peer review that are not included in
report may be communicated orally or in writing
Page 49
Yellow Book Interpretations
• Same authority as Yellow Book
• Presented to Advisory Council
• Addressed with key stakeholders
• Posted to GAO website
Page 50
Future Plans for Revision
• Plans for the next Yellow Book revision are underway
• Areas being considered for revision include:
• CPE
• Competence
• Further clarify updates
• Updates for ASB attest section modifications
• Peer review
Page 51
Government Auditing Standards
2011 Yellow Book
Page 52
Yellow Book = “GAGAS”
GAGAS—Generally Accepted Government Auditing Standards:
• Broad statements of auditors’ responsibilities
• An overall framework for ensuring that auditors have the
competence, integrity, objectivity, and independence in
planning, conducting, and reporting on their work
• For financial audits and attestation engagements, incorporates
and builds on the AICPA standards (SASs and SSAEs)
Page 53
The 2011 Yellow Book: Applicability
• Chapters 1, 2, and 3 apply to all GAGAS engagements:• Chapter 1: Government Auditing: Foundation and Ethical
Principles • Chapter 2: Standards for Use and Application of GAGAS• Chapter 3: General Standards
• Chapter 4: Standards for Financial Audits – applies only to financial audits
• Chapter 5: Standards for Attestation Engagements – applies only to attestation engagements
Page 54
The 2011 Yellow Book: Applicability (cont.)
• Chapters 6 and 7 apply only to performance audits:• Chapter 6: Field Work Standards for Performance Audits• Chapter 7: Reporting Standards for Performance Audit
• Appendix: Provides additional guidance (not requirements) for all GAGAS engagements
• Interpretations: Available on the Yellow Book web page. Provide additional guidance (not requirements) for areas of particular interest or sensitivity
Page 55
Chapter 2: Types of GAGAS Engagements
• All audits begin with objectives, and those objectives determine the type of audit to be performed and the applicable standards to be followed
• The types of audits that are covered by GAGAS, as defined by their objectives, are classified in the Yellow Book as: • Financial audits• Attestation engagements• Performance audits
Page 56
Chapter 2: Use of Terminology
Standardized language to define the auditor requirements• Consistent with AU-C 200:
• Must indicates an unconditional requirement• Should indicates a presumptively mandatory requirement• Text not using the above conventions is considered
explanatory material
Page 57
Chapter 3: General Standards
• Independence• Conceptual framework• Provision of nonaudit services to auditees
• Professional judgment• Competence
• Technical knowledge• Continuing Professional Education
• Quality Assurance• System of quality assurance• Peer review
Page 58
Chapter 3: Independence
• In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be independent
• Independence comprises:• Independence of Mind • Independence in Appearance
Page 59
Applying the Framework
Conceptual Framework:
1. Identify threats to independence
2. Evaluate the significance of the threats identified, both individually and in the aggregate
3. Apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level
4. Evaluate whether the safeguard is effective
Documentation Requirement: Para 3.24: When threats are not at an acceptable level and require application of safeguards, auditors should document the safeguards applied.
Page 60
Independence Conceptual Framework
Applying The Framework
Threats could impair independence
• Do not necessarily result in an independence impairment
Safeguards could mitigate threats
• Eliminate or reduce to an acceptable level
Page 61
Additional Documentation Requirements
1. Auditors must document application of safeguards in place
2. Auditors must document assessment of skill, knowledge, and experience (SKE)
Page 62
Applying the Framework: Categories of Threats
1. Management participation threat
2. Self-review threat
3. Bias threat
4. Familiarity threat
5. Undue influence threat
6. Self interest threat
7. Structural threat
Page 63
Applying the Framework: Examples of Safeguards
1. Reassign individual staff members who may have a threat to independence
2. Have separate staff perform the non-audit and audit services
3. Have professional staff from outside of the team review the work
4. Use or consult with an independent third party
5. Involve another audit organization
6. Decline to do the requested scope of the non-audit service
Page 64
Nonaudit Services
1. Determine if there is a specific prohibition. Unless specifically prohibited, nonaudit services MAY be permitted but should be documented
2. If not prohibited, assess the nonaudit service’s impact on independence using the conceptual framework
3. If the auditor assesses any identified threat to independence as higher than insignificant, assess the sufficiency of audited entity management’s skill, knowledge, and experience to oversee the nonaudit service
4. And…
Page 65
Nonaudit Services (cont.)
4. If the auditor concludes that performance of the nonaudit service will not impair independence, document assessments in relation to both:• Safeguards applied in accordance with the conceptual
framework and• The auditor’s assessment of sufficiency of audited entity
managements’ skill, knowledge or experience to oversee the nonaudit service (paragraph 3.34)
Page 66
Assessing Management’s Skill, Knowledge, and Experience
• Factors to document include management’s:• Understanding of the nature of the nonaudit service• Knowledge of the audited entity’s mission and operations• General business knowledge• Education• Position at the audited entity
• Some factors may be given more weight than others
• GAGAS does not require that management have the ability to perform or reperform the service
Page 67
Sufficiency of Skills, Knowledge and Experience
• Sufficient skills, knowledge and experience may be judged based in part on:• Ability of the responsible audited entity personnel to
understand the nature and results of the nonaudit service• Ability of the responsible person to identify material errors or
misstatements in a nonaudit service work product• Ability and willingness and of the responsible person to take
meaningful action in the event of identification of a problem with the nonaudit service
• Client prepared material in poor condition may indicate the client is not capable of taking responsibility for the service. Significant audit findings and adjustments may also be indicative of this issue.
Page 68
Safeguards: Nonaudit Services
Auditors should document safeguards when significant threats are identified:
• Auditor has responsibility to perform the assessment, this cannot be a management assertion
• Assessment should be in writing and indicate actions the auditor has taken to mitigate the threat
• Assessment should include a conclusion
• Auditor should document actions taken to mitigate the threat (safeguards)
• An example of safeguards for nonaudit services may include actions taken by the auditor to preserve independence such as an extra level of review or secondary review
Page 69
Prohibited Nonaudit Services
Management responsibilities (not a comprehensive list):
• Setting policies and strategic direction for the audited entity
• Directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities
• Having custody of an audited entity’s assets
• Reporting to those charged with governance on behalf of management
• Deciding which of the auditor’s or outside third party’s recommendations to implement
Page 70
Continuing Professional Education (CPE)
No revision to overall requirements• Minimum of 24 hours of CPE every 2 years
• Government• Specific or unique environment• Auditing standards and applicable accounting principles
• Additional 56 hours of CPE for auditors involved in • Planning, directing, or reporting on GAGAS assignments
or • Charge 20 percent or more of time annually to GAGAS
assignments• Minimum of 20 hours of CPE each year
Page 71
Chapter 3: General Standards System of Quality Control
Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel
Page 72
Chapter 3: General Standards System of Quality Control
Added a requirement that the quality control policies and procedures collectively address:
• Leadership responsibilities for quality within the audit organization
• Independence, legal, and ethical requirements
• Initiation, acceptance, and continuance of audit and attestation engagements
• Human resources
• Audit and attestation engagement performance, documentation, and reporting
• Monitoring of qualityPage 73
Peer Review Ratings
The peer review team uses professional judgment in deciding the type of peer review report
Types of peer review ratings:
Page 74
Pass
Pass with deficiencies
Fail
Chapter 4: Financial Audits
• Incorporate by reference AICPA Statements on Auditing
Standards
• Additive requirements (performing and reporting) for financial
audits
• Additional considerations for financial audits
Page 75
Chapter 5: Attestation Engagements
• Separated attest requirements: • Examination• Review• Agreed-Upon Procedures
• Update considerations:• Clarified distinctions between engagement types• Emphasized AICPA reporting requirements
Page 76
• Incorporate by reference AICPA Statements on Standards for
Attestation Engagements (SSAEs)
• Additive requirements (performing and reporting) for financial
audits
• Additional considerations for GAGAS attestations
Chapter 5: Attestation Engagements
Page 77
Chapter 6: Performance Audit Fieldwork
• Reasonable assurance
• Significance
• Audit Risk
• Planning
• Supervision
• Obtaining sufficient, appropriate evidence
• Audit documentation
Page 78
Chapter 6: Performance AuditsLevel of Assurance
Performance audits that comply with GAGAS provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions
Page 79
Chapter 6: Performance Audits Sufficient, Appropriate Evidence
• Appropriateness is defined as a measure of quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions
• Sufficiency is defined as a measure of quantity of evidence used for addressing the audit objectives and supporting findings and conclusions
Page 80
Chapter 6: Performance Audits Criteria
Represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated
Page 81
Chapter 6: Performance Audits Criteria
Examples of criteria:
• Purpose or goals prescribed by law or regulation or set by
officials of the audited entity
• Policies and procedures established by officials of the audited
entity
• Technically developed standards or norms
• Expert opinions
Page 82
Chapter 7: Performance Audits Reporting
• Auditors must issue audit reports communicating the results of each completed performance audit
• Auditors should use a form of the audit report that is appropriate for its intended use and is in writing or in some other retrievable form
Page 83
Chapter 7: Performance Audits Report Contents
Auditors should prepare audit reports that contain:
• Objectives, scope, and methodology of the audit
• Audit results, including findings, conclusions, and
recommendations, as appropriate
• Statement about the auditors’ compliance with GAGAS
• Summary of the views of responsible officials
• Nature of any confidential or sensitive information omitted
Page 84
Chapter 7: Performance Audits Reporting Views of Responsible Officials
Auditors should:
• Obtain and report views of responsible officials concerning
findings, conclusions, recommendations, and planned
corrective actions
• Include in report an evaluation of the comments, as
appropriate
Page 85
Where to Find Us
• The Yellow Book is available on GAO’s website at:
www.gao.gov/yellowbook
• The Green Book is available on GAO’s website at:
www.gao.gov/greenbook
• For technical assistance, contact us at:
[email protected] or [email protected]
or call (202) 512-9535
Page 86
Thank You
Questions?
Page 87
Top Related